Skip to content

admin: SECURITY.md updates#5311

Merged
lgritz merged 1 commit into
AcademySoftwareFoundation:mainfrom
lgritz:lg-security
Jul 10, 2026
Merged

admin: SECURITY.md updates#5311
lgritz merged 1 commit into
AcademySoftwareFoundation:mainfrom
lgritz:lg-security

Conversation

@lgritz

@lgritz lgritz commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator
  • Add recently published security advisories to SECURITY.md
  • Revision of security policy and definitions of vulnerability.
  • Also some minor forward-ports and adjustments of CHANGES.

The substantive change is explaining that our policy is to only consider vulnerabilities if they (a) allow remote code execution, privilege escalation, and other very severe problems (not crashes, OOM, or most "DoS" scenaries), and (b) are exploitable in practice by untrusted actors merely by presenting malicious routine input such as image files (misuse of APIs, for example, is not a vulnerability).

Everything else should be reported through the usual Issue/PR mechanism, and not use the security vulnerability reporting regime, which is massively more overhead for the maintainers.

- Add recently published security advisories to SECURITY.md
- Revision of security policy and definitions of vulnerability.
- Also some minor forward-ports and adjustments of CHANGES.

The substantive change is explaining that our policy is to only
consider vulnerabilities if they (a) allow remote code execution,
privilege escalation, and other very severe problems (not crashes,
OOM, or most "DoS" scenaries), and (b) are exploitable in practice by
untrusted actors merely by presenting malicious routine input such as
image files (misuse of APIs, for example, is not a vulnerability).

Everything else should be reported through the usual Issue/PR
mechanism, and not use the security vulnerability reporting regime,
which is massively more overhead for the maintainers.

Signed-off-by: Larry Gritz <lg@larrygritz.com>
@lgritz lgritz merged commit 0adaf3a into AcademySoftwareFoundation:main Jul 10, 2026
3 checks passed
@lgritz lgritz deleted the lg-security branch July 10, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant